[Users] Recompiilng Zimbra's Nginx

Barry de Graaff info at barrydegraaff.tk
Fri Dec 22 10:00:13 CET 2017 

No, it will not, but you need to pass on the external ip in oip

https://github.com/Zimbra-Community/account-history#log-external-ip

You may also need to do this in haproxy,

Barry

> On 22 Dec 2017, at 09:53, Omar Mochtar <iomarmochtar at gmail.com> wrote:
> 
> If i implementing fail2ban or other blocking method in proxy or mailbox server it will blocking IP of HAproxy.
> 
> On Dec 22, 2017 15:47, "Barry de Graaff" <info at barrydegraaff.tk> wrote:
> Perhaps use iptables and fail2ban...
> 
> Similar to
> https://github.com/Zimbra-Community/mailing-lists/wiki/DDOS-protection
> 
> Why not use zimbra dosfilter?
> 
> Barry
> 
>> On 22 Dec 2017, at 09:33, Omar Mochtar <iomarmochtar at gmail.com> wrote:
>> 
>> 
>> 
>> Yes, HAProxy is in front of zimbra MTA & proxy server, since it's a load balancer. 
>> 
>> What i found in HAproxy log file is just information of source & destinated server and it's very verbose because used in quite high client traffic so i cannot trace what source IP is (try) using X account just like in normal nginx.log without haproxy.
>> 
>> 
>> 
>>> On Dec 22, 2017 15:13, "Barry de Graaff" <info at barrydegraaff.tk> wrote:
>>> Hello Omar,
>>> 
>>> I dunno, but isn’t easier to just put haproxy in front of zimbra proxy and block all from there?
>>> 
>>> Barry
>>> 
>>>> On 22 Dec 2017, at 08:47, Omar Mochtar <iomarmochtar at gmail.com> wrote:
>>>> 
>>>> Hi All, 
>>>> 
>>>> 
>>>> 
>>>> Here's the background of the issue: I implemented HAProxy as Load Balancer for Zimbra MTA & Proxy (webmail, pop3, imap) services and it's running smoothly until we have brute force issue then when i want to block the source of brute force IP but it just shown HAProxy server's IP in the log files since the traffics are come from it. 
>>>> 
>>>> 
>>>> After searching the solution is using HAProxy's Proxy Protocol that will add additional source information in package that will be forwarded to it's backend servers. For Postfix there is clear documentation in HaProxy's official blog (https://www.haproxy.com/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/) and for the rest service (webmail, pop3, imap) which handled with Nginx the clue is only this documentation http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_protocol . 
>>>> 
>>>> 
>>>> Unfortunately nginx's proxy_protocol configuration  is available from version 1.9.2 and Nginx version in Zimbra 8.7 is 1.7.1 .
>>>> 
>>>> The question is how to recompiling new version of Nginx (including it's zmlookup modules, etc)  that will be replaced the existing one ?
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20171222/c79dba81/attachment.html>

More information about the Users mailing list